High-Profile DDoS Extortion Attacks — September 2020

ASERT Threat Summary

Date/Time:  3 September 2020 0930UTC

Severity:  Warning

Distribution:  TLP: WHITE (Recipients may share TLP: WHITE information without restriction, subject only to standard copyright rules.)

Categories:  Availability

Contributors:  Alexander Cockburn, Carl Neenan, Gareth Tomlinson, Mary Hartzell, Shawn Razavi

Description

Starting in mid-August 2020, a relatively prolific threat actor initiated a global campaign of DDoS extortion attacks largely directed towards regional financial and travel-industry targets such as regional banks, stock exchanges, travel agencies, currency exchanges, and, in some cases, their upstream internet transit providers.  These attacks are characterized by the attacker initiating a demonstration DDoS attack against selected elements of the targeted organization’s online services/application delivery infrastructure, followed by an emailed extortion demand for payment via Bitcoin (BTC) cryptocurrency.  The extortion demands typically state that the attacker has up to 2 Tbps of DDoS attack capacity at the ready, and threatens follow-up attacks if the extortion payments aren’t transmitted to the attacker within a set period of time.

In many cases, when the extortion demands aren’t met, the threatened follow-up attacks do not occur, and the attacker moves on to another target.  In some cases, the attacker elects to persist in attacking the targeted organization, including its upstream transit provider(s).

The threat actor responsible for this attack campaign typically claims to be affiliated with well-known, labeled attack groups discussed in industry media; this is done in hopes of bolstering their credibility with the extortion targets.  Examples of asserted affiliation include ‘Fancy Bear,’ ‘Lazarus Group,’ and ‘Armada Collective’ (the latter being the only one of the claimed identities known to be affiliated with DDoS attack campaigns).  Many would-be extortionists simply send out emailed extortion demands under the names of these various groups; the threat actor behind this campaign does in fact actually launch DDoS attacks against the targeted organizations, although threatened follow-up attacks often fail to materialize.

The primary attack vectors observed in this campaign are DNS, ntp, ARMS, WS-DD, SSDP, and CLDAP reflection/amplification; spoofed SYN-flooding; GRE and ESP packet-flooding; TCP ACK-floods; and TCP reflection/amplification attacks.  In some cases, the attacker has also made use of other, infrequently-used IPv4 protocols to launch packet-flooding attacks, in hopes of bypassing inadequately-scoped networked access policies implemented via router access-control lists (ACLs) and/or firewall rules.

Attack volumes observed over the course of this attack campaign have ranged from 50 Gbps - 200 Gbps, and 150 Kpps - 150 Mpps.  While the attacker has claimed to have up to 2 Tbps of DDoS attack capacity, no attacks approaching this magnitude have taken place, to date.

Both the selection of targeted assets as well as the recipients chosen to receive the attacker’s extortion demands are indicative of pre-attack reconnaissance on the part of the threat actor.  In multiple instances, critical, yet non-obvious public-facing applications and services were targeted by the attacker.

During extended attacks which include targeting of an organization’s upstream transit ISP(s), the attacker has apparently made use of basic network diagnostic techniques such as running multiple traceroutes in an attempt to identify routers and/or layer-3 switches within the transit ISP network; these network infrastructure devices are subsequently targeted by the attacker.

While in many cases emailed DDoS extortion demands are never viewed by their intended targets due to poor email address selection on the part of the attacker, in this instance, it appears that the threat actor in question has exercised significant due diligence in identifying email mailboxes which are likely to be actively monitored by targeted organizations.

Collateral Impact

In line with observed norms, the observed collateral impact of these DDoS attacks can be disproportionately high; in some cases, attacks against the upstream transit ISPs supplying internet connectivity to targeted organizations has resulted in significant disruption of bystander traffic traversing the networks of those transit operators.

Mitigating Factors

As is the case with most DDoS attacks, targeted organizations which have adequately prepared in advance to defend their public-facing internet properties and related infrastructure have experienced little or no significant negative impact related this DDoS extortion campaign.

While the threat actor in question has demonstrated a degree of acuity and willingness to engage in diligent pre-attack reconnaissance, the DDoS attack vectors and targeting techniques employed in this attack campaign to date are well-known, and can be mitigated via standard DDoS countermeasures/protections.

Due to the relatively high visibility of this attack campaign—largely resulting from the deliberate selection of targets within and adjacent to the heavily-regulated financial sector, rather any uniqueness of the attacks themselves or differentiation from the common run of DDoS extortion attempts—it is assumed that international law enforcement and intelligence community resources are likely to be brought to bear in aid of efforts to identify and apprehend those responsible.

Recommended Actions

Organizations with business-critical public-facing internet properties should ensure that all relevant network infrastructure, architectural, and operational Best Current Practices (BCPs) have been implemented, including situationally-specific network access policies which only permit internet traffic via required IP protocols and ports.  Internet access network traffic from internal organizational personnel should be deconflated from Internet traffic to/from public-facing internet properties, and served via separate upstream internet transit links.

Critical supporting ancillary services such as authoritative DNS should also be designed, deployed, and operated in a manner consistent with all relevant BCPs.

Upon receipt of any demands for DDoS extortion payments, targeted organizations should immediately engage with their peers/transit ISPs, other organizations providing critical internet-facing services (such as authoritative DNS hosters), and situationally-appropriate law enforcement organizations. They should ensure that their DDoS defense plans are activated and validated, and maintain a vigilant alert posture.

DDoS defenses for all public-facing internet properties and supporting infrastructure should be implemented in a situationally-appropriate manner, including periodic testing to ensure that any changes to organization’s servers/services/applications are incorporated into its DDoS defense plan.  Both organic, on-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services in order to ensure maximal responsiveness and flexibility during an attack.

It is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attacks, and are included in periodic, realistic tests of the organization’s DDoS mitigation plan.  In many instances, we have encountered situations in which obvious elements such as public-facing Web servers were adequately protected, but authoritative DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.

Specifics of countermeasure selection, tuning, and deployment will vary based upon the particulars of individual networks/resources; the relevant NETSCOUT Arbor account teams and/or the Arbor Technical Assistance Center (ATAC) may be consulted with regards to optimal countermeasure selection and employment.

Organizations should familiarize themselves with the particulars of previous high-profile DDoS extortion campaigns, with a special emphasis on the ‘DD4BC’ series of attacks launched between 2014–2016.  There are a multiple points of correspondence between the modus operandi of the DD4BC threat actor and that of the threat actor responsible for this DDoS extortion campaign.

References

Applicable NETSCOUT Arbor Solutions:  Arbor Sightline, Arbor TMS, Arbor AED, Arbor Cloud

Historical DDoS extortion presentation (.pdf)

Mutually Agreed Norms for Routing Security (web)